Office of the Privacy Commissioner, New Zealand

International Engagement Strategy2018-2021

International Engagement Strategy 2018-2021

Why engage internationally?To effectively protect New Zealanders’ personal information in a global digital environment, the Office of the Privacy Commissioner needs to cooperate and act internationally. This strategy seeks to enhance New Zealanders’ privacy protections and guide OPC’s engagement internationally.

International engagement takes many forms and depending upon context the benefits of engagement differ. Typical benefits may include early warning of emerging risks and to learn how others are responding to those risks. Engagement offers opportunities to share New Zealand’s expertise and to benefit from other’s experiences. Participating in international forums can help ensure that a New Zealand perspective is added to policy making and standard setting. Sometimes OPC’s engagement can help shape an aspect of the international privacy environment by initiating and leading projects that appear to offer particular value. Contacts and partnerships forged through international engagement can provide value beyond the immediate project and be mutually beneficial in other contexts.

These typical benefits all contribute to supporting innovation, extending OPC’s and New Zealand’s influence and working towards creating an international environment to support citizen and consumer trust.

Supporting OPC’s Statement of Intent

This strategy, which supports OPC’s Statement of Intent 2017-20211 which identifies three key measures of success:

1. Increased citizen trust in the digital economy.2. Innovation is promoted and supported.3. Increased influence to improve personal information practices.

1 https://privacy.org.nz/assets/Uploads/OPC-Statement-of-Intent-2017-2021.pdf

This documentPart one sets out the main challenges we face and the associated priorities. Part two covers OPC resourcing, engagement and evaluation. Part three comments on the operating environment. Part four contains three tools: a calendar, a checklist and a glossary.

Recognising the need to be agile in an evolving environment this strategy will be regularly reviewed and may have other supporting tools added.

The document supports and does not replace other policies adopted by OPC’s Senior Leadership Team such as the SOI and the international travel policy.

Part One: Challenges/opportunities and priorities

Challenge/opportunity 1: Ensuring that NZ privacy law is a benchmark for high global standards.Privacy is a fundamental value recognised internationally. The protection of personal information is an essential element in maintaining the trust necessary for the free flow of information across borders. New Zealand is committed to respect for human rights and to active participation in international trade. Trade in the digital age relies upon data flows. Both to protect New Zealanders’ privacy, and to ensure trading partners trust our handling of information, we need effective privacy law that meets global standards. Part of this involves having a privacy authority with the governance, resources and technical expertise to exercise powers effectively and impartially.

Ensuring that New Zealand privacy law is a benchmark for high global standards aligns with OPC’s SOI goal to “ensure New Zealand is recognised as having privacy protections suitable for acceptance by the international community”.

Challenge/opportunity 1: priorities

1.1 OPC will engage as required to maintain EU adequacy

The European Commission monitors the standard of data protection in third countries (such as NZ) that have been formally recognised as providing an ‘adequate level of data protection’. OPC as the ‘competent supervisory authority’ for EU purposes engages with the EC by periodic reports and meetings. There remain some uncertainties in this context as the EU is in the process of changes to its law which may eventually impact upon standards expected of third countries. The EU is also establishing a process for recognising third country adequacy for law enforcement information.

Competitive trade advantageNew Zealand is one of only 4 countries outside Europe to have a formal decision from the European Commission confirming our law provides “an adequate level of data protection” for the unrestricted processing of European personal data. During the period of this strategy it is expected that major Asian economies will also gain this coveted recognition.

1.2 OPC will engage in domestic law reform to ensure NZ law is world class

New Zealand’s privacy law is 25 years old and overdue for replacement. OPC will provide expert advice to officials and engage in law reform processes and advocacy to help ensure that a replacement law reflects international best practice. One particular priority with an international dimension will be to ensure that the new law facilitates cross-border enforcement cooperation. Engagement internationally also connects OPC with emerging international thinking on better practice regulation helping us to ‘bring good ideas home’.

Modernising privacy law for a digital ageThe Government plans to include a mandatory breach notification obligation in NZ’s new privacy law as recommended by the Law Commission, OECD and APEC. The Commissioner has also recommended a data portability right as found in new EU law.

Privacy law must enable cross-border cooperationIn 2007 the OECD issued recommendations for updating privacy laws to provide an effective basis for international cooperation. In 2017 the International Conference of Data Protection and Privacy Commissioners adopted 5 key legislative principles for enforcement cooperation.

1.3 OPC will explore the benefits of NZ accepting further international privacy instruments or entering bilateral or multilateral arrangements

In the interconnected digital age no country can expect to stand alone in setting standards and protecting the privacy of its people. International privacy is rapidly evolving and opportunities will arise for NZ to adopt standards or for OPC to enter useful arrangements. OPC will evaluate the usefulness of participation in treaties (such as the Council of Europe Data Protection Convention), binding arrangements (like APEC’s Cross-Border Privacy Rules system), multilateral enforcement arrangements (like the ICDPPC enforcement cooperation arrangement) and bilateral cooperation MOUs.

If there were to be a good case to do so …New Zealand could, if it wished, seek to accede to the Council of Europe Data Protection Convention 108 and Protocol 181, and apply to participate in the APEC Cross- Border Privacy Rules system and the APEC Privacy Recognition for Processors system. OPC could, if it wished, participate in the ICDPPC Enforcement Cooperation Arrangement or enter into MOUs with overseas privacy enforcement authorities.

1.4 OPC will seek to have New Zealand privacy law recognised by other countries where that may be important to New Zealand trade or New Zealanders’ privacy rights

For 2 decades Europe has maintained a system of formally listing counties that can demonstrate that their privacy laws meet EU standards. This is colloquially referred to as a ‘white list’. Increasingly, other countries are beginning to establish formal lists of national laws recognised for the purposes of their data export requirements, localisation laws or for other purposes. This can be relevant to trade by NZ companies or, in some cases, the rights of New Zealanders. OPC will encourage countries maintaining white lists to cross-recognise the laws of countries, such as NZ, that have already been recognised by the EU. In other cases, OPC will cooperate with overseas authorities to support evaluation and recognition of NZ law.

Did you know? Under a 2017 law, Japan will be able to designate countries to which

personal data can be legally sent in the same way as in-country. The US Privacy Act 1974 limits redress rights to US citizens or permanent

residents but that the US Attorney-General can extend rights to citizens

of other countries under the Judicial Redress Act 2015.

Challenge/opportunity 2: To operate as an effective and influential privacy authority from a geographically isolated base far from peer authorities and the meeting places of international organisations working in privacy. Self-evidently New Zealand is geographically isolated. Distance from other national privacy regulators and the headquarters of international organisations working in privacy makes active engagement more costly and difficult than for authorities in many other countries. However, physical isolation does not lessen the risks to New Zealand in this digital age.

Challenge/opportunity 2: priorities

2.1 Engagement at regional level

Although the distances in the Asia Pacific are vast, we will engage regularly at regional level both through meetings of peer regulators (the APPA Forum) and though inter-governmental organisations (APEC). We will provide a lead where our expertise and capacity permits.

2.2 Strong engagement through global networks of privacy authorities

OPC will continue to engage with the premier global network of privacy commissioners (ICDPPC) and the principal global network for privacy enforcement (GPEN). We will provide a lead where our expertise and capacity permits.

2.3 Selective engagement in other international forums

OPC will continue to take opportunities to engage in other international forums where they bring value to OPC’s work and benefit to New Zealanders and can be undertaken in a cost-effective manner. We will provide a lead where our expertise and capacity permits.

Practical ExampleOPC led work in APEC’s Data Privacy Subgroup to modernise the 10 year old APEC Privacy Framework. This drew upon OPC’s expertise as an experienced privacy regulator and the privacy regulatory reform work we’d been involved in domestically and internationally through OECD and other networks. The improvements in the updated 2015 framework may incrementally bring benefits though regional implementation in CBPRs and CPTPP.

2.4 Bringing the world to New Zealand

OPC will bring international experts to speak at NZ events. We will periodically host in NZ meetings of privacy networks and international organisations working in privacy. OPC will continue to create and take opportunities for remote engagement such as the GPEN Pacific Teleconferences.

Practical ExampleOPC has volunteered to be on a roster to host a meeting of the International Working Group on Data Protection in Telecommunications every 3 or 4 years.

2.5 Participation in non-governmental networks

Recognising the variety of stakeholders involved in privacy and information leadership OPC will also appropriately engage with business and civil society networks (such as IAPP and APSN) to contribute to OPC effectiveness and maintain influence.

2.6 Connecting through government

OPC is an independent Crown entity. Independence is central to our role and effectiveness. Nonetheless we are part of the NZ public sector and we can assist the government and government resources can be of assistance to us. Consistent with our statutory mandate, we play an appropriate part in promoting the interests of ‘New Zealand Inc.’

For instance, we run occasional inter-agency meetings on international privacy to share information across departments. We participate in government procurement programmes to lower the cost of travel. We cooperate with MFAT domestically and abroad. We work with domestic agencies responsible for oversight of intelligence and security agencies in efforts to promote effective oversight in the context of cross-border cooperation arrangements such as ‘Five Eyes’.

Part two: OPC resourcing, engagement and evaluation

1. OPC resources1. Aside from the Commissioner personally, the Assistant Commissioner (Auckland) is

principally responsible for OPC’s international engagement and has been appointed as New Zealand delegate to OECD SPDE and APEC DPS. There is a Policy Adviser (Codes and International) devoted to aspects of international engagement. Beyond that OPC operates a ‘one team’ approach with all staff potentially available to contribute to the work.

2. OPC has an international travel budget with an associated international travel policy and international travel approval process.

3. As OPC is a member of several peer networks, OPC staff can access to certain resources, tools and services such as the GPEN Pacific Teleconference, the GPEN Opportunities Board and the APPA Secondment Framework. OPC will continue to explore opportunities for staff development in the context of international engagement.

2. OPC engagement1. There are certain core repeating meetings that present opportunities for engagement

including APPA (2 p.a.), ICDPPC (1 p.a.), APEC (2 p.a.), IWGDPT (2 p.a.) and OECD (2 p.a.). Traditionally, OPC has participated in all APPA and ICDPPC meetings and attends the other meetings whenever possible.

2. The international travel budget for the last 10 years has ranged from $40,000-$80,000. The actual spend over that period has been between $14,100 and $70,100.

3. Even without any travel from NZ, the contacts established and the tools provided by the networks in which OPC participates (such as GPEN mass contact) are available for staff to seek advice from international peers in relation to problems encountered domestically.

4. Opportunities will be considered for international engagement to contribute to staff capacity building or professional development (e.g. through documented training plans or secondments). This strategy may be used as a resource in staff induction.

3. Measurement and evaluation1. We will seek to develop measures of the value of our international engagement.2. We will report publicly against this strategy.3. We will circulate resources and share insights obtained through the international contact.

Measures and reporting: current examplesIn 2017, OPC ran a baseline survey of OPC staff awareness and use of GPEN tools and plan to repeat the survey in 2018. OPC publishes material on international engagement in the annual report and the costs of the Commissioner’s international travel are published on the OPC website.

Part three: The operating environment

1. International governmental organisationsThe modern approach to regulation of privacy gives effect to international instruments that encourage countries to adopt compatible approaches to data protection while discouraging unjustified barriers to socially useful cross border flows of data. Forty years after the first major instrument was adopted, international policy work continues on how best to achieve these twin aims.

NZ’s privacy approach is based upon OECD Guidelines (1980) and the OECD’s ongoing policy work is undertaken in the Working Party on Security and Privacy in the Digital Economy (SPDE). NZ is also a member of APEC which adopted the APEC Privacy Framework (2005). APEC’s privacy policy work is undertaken in its Data Privacy Subgroup (DPS). Also influential are the Council of Europe and European Union. OPC engages with OECD because our law implements OECD Guidelines and with APEC and OECD because of NZ membership. Engagement with other international bodies relates to their effect on NZ trade, their influence on the general international environment and because of their insights, leadership and expertise in privacy issues affecting all countries.

Work at international level is made more complex and costly because there is no single global privacy standard but rather a series of overlapping, competing and sometimes contradictory standards alongside gaps in coverage. Policy work at international level can often involve creating improved standards, filling gaps and seeking to harmonise regional standards or at least to promote interoperability between them. To be effective OPC cannot simply engage in a single forum.

2. Networking with peersRegulation of privacy is now the norm with over 120 countries having data protection laws. Most of those countries will have a public body with responsibility for privacy. In many cases these with be a Data Protection Authority or a Privacy Enforcement Authority similar to OPC. Given the benefits of sharing experiences with peers a series of networks of regulators have grown up starting with general global and regional meetings (ICDPPC and APPA) and later supplemented by specialist groupings (e.g. GPEN, IWGDPT and CPEA). Engagement with these groups is a big and valuable part of OPC’s international engagement. The working methods vary between simply experience sharing through to developing common positions and standards and creating and operating joint tools. Less well developed, but emerging, is international engagement between DPAs and business and DPAs and civil society.

3. OPC leadershipOPC has taken an active leadership role in many of the networks it engages with. OPC helped establish the Australia-NZ forerunner of APPA and later to expand it to encompass the Asia Pacific. It also was instrumental in establishing GPEN (and later GPEN Alert), and APEC’s

CPEA, and served for years on the inaugural governance bodies of both GPEN and CPEA. OPC provided Chair and Secretariat of the ICDPPC for 3 years and has led numerous ICDPPC working groups. OPC participated in the drafting of the APEC Privacy Framework in 2005 and a decade later led work to update the framework, accomplished in 2017. OPC provides NZ’s delegates to both SPDE and DPS.

4. The digital economyThe growth of the World Wide Web since the enactment of the Privacy Act 1993 and numerous other technological, business and governmental developments have multiplied the risks to privacy and, given global connectedness, the need to engage internationally.

A digital economy statisticThe volume of global data flows has grown 45-fold from 2005-2014, faster than international trade or financial flows - McKinsey Global Institute, Digital Globalization: The New Era of Global Flows, 2016

Part four: Tools – A calendar, checklist and glossary

This strategy assists OPC in prioritising international engagement including committing to international travel and related expenditure. To assist in making decisions on international travel expenditure this part sets out two tools:

A calendar 2018-21: given the long time frame the focus is upon significant recurring international meetings.

A checklist to assist in deciding which international meetings should be attended, by whom and how to seek maximum value for the investment.

A glossary: a quick guide to some of the more common acronyms used in this strategy.

Calendar

All entries are abbreviated. Only recurring meetings are noted. The calendar only includes DPA and international governmental meetings. Where known, the location of meetings is given.

Key: APEC = APEC ECSG DPS; APPA = APPA Forum; ICDPPC = International Conference of Data Protection and Privacy Commissioners; IWGDPT – International Working Group on Data Protection in Telecommunications; OECD = OECD WPSPDE; T-PD – Council of Europe Data Protection Convention Consultative Committee.

Calendar 2018-21Calendar Year First half (January-June) 2nd half (July-December)2018 APEC, PNG

APPAIWGPT, HungaryOECD, ParisT-PD, Strasbourg

APEC, PNGAPPA, NZICDPPC, BrusselsIWGDPT, NZOECD, ParisT-PD, Strasbourg

2019 APEC, ChileAPPAIWGPTOECD, ParisT-PD, Strasbourg

APEC, ChileAPPAICDPPC, TiranaIWGDPTOECD, ParisT-PD, Strasbourg

2020 APEC, MalaysiaAPPAIWGPTOECD, ParisT-PD, Strasbourg

APEC, MalaysiaAPPAICDPPCIWGDPTOECD, ParisT-PD, Strasbourg

2021 APEC, NZAPPAIWGPTOECD, ParisT-PD, Strasbourg

APEC, NZAPPAICDPPCIWGDPTOECD, ParisT-PD, Strasbourg

Further opportunities

The status quo is represented on the calendar by participation in all meetings of APPA and ICDPPC and occasional participation in APEC, IWGDPT and OECD. Within the meetings shown there are further opportunities e.g.:

More regularly participate in APEC, IWGDPT and OECD. Participate in, or organise, ad hoc meetings for any of these networks (e.g. in the past we

have organised workshops and roundtables for APPA, APEC, ICDPPC and OECD). Host meetings – we are hosting APPA and IWGDPT in 2018, there would be an opportunity

to bid to host ICDPPC in 2020. To take a leading role to assist the NZ Government in an aspect of an e-commerce agenda

for APEC 2021.

There are many opportunities to engage if we have the capacity with other international organisations (e.g. as an observer to Council of Europe T-PD), in civil society and business forums (e.g. IAPP) and in standard setting (e.g. ISO).

ChecklistThe OPC International Travel Policy requires staff to complete and submit a written travel approval request on the approved form and gain approval before international travel is booked. This self-completion checklist does not replace that process but is intended to help staff assure themselves that proposed travel will be worthwhile and that the investment will deliver value to OPC and New Zealand and that travel request that are submitted are framed to ensure that finite resources are expended to best effect.

The checklist should be completed but the results need not be submitted. The questions are a starting point and are not the only ones that should be considered.

Ask yourself … Yes/No: If yes, how?Challenge 1: Will this engagement: Help ensure that NZ privacy law is – or will be seen to be - a

benchmark for high global standards? Assist NZ to maintain EU adequacy? Contribute to domestic law reform? Promote cooperation in cross-border enforcement? Be useful to NZ considering accepting further international

arrangements? Be part of having NZ’s law recognised by other countries? Contribute to furthering NZ trade interests? Promote New Zealanders’ privacy rights?Challenge 2: Will this engagement: Further OPC’s core regional relationships with our peers? Further OPC’s core global relationships with our peers? Be likely to bring value to OPC’s operations? Be likely to benefit New Zealanders? Be able to be undertaken in a cost-effective manner? Be one in which OPC has special expertise to contribute that will

be of value to regional partners? Be one in which OPC has the opportunity to show regional or

global leadership?Statement of intent goals: Will this engagement: Contribute to the increase in citizen and consumer trust in the

digital economy? Promote and support innovation? Increase OPC’s influence to improve personal information

practices?Person engaging: Am I the right person to travel or is someone else better suited

for the engagement? May I competently complete the engagement alone?2

Opportunity: Is this an opportunity for OPC that will not be repeated? Will taking this opportunity preclude another opportunity being

taken?3

Budget: Will the available budget cover this meeting and other

commitments in the budget period?Value for money: Is this engagement worth the cost?

2 Having multiple OPC staff travel increases the cost and may reduce the cost-benefit. However, having more than one delegate may be an advantage where meetings split into multiple tracks or where there are various sub-meetings requiring different specialist expertise.3 Examples include where meetings clash or where there are insufficient funds available to engage in all meetings.

Are there opportunities to reduce the cost? Are there opportunities to increase the value? In particular, are there opportunities to combine additional

meetings in the same trip?

GlossaryA quick guide to some of the common acronyms used in this report follows.

APEC Asia Pacific Economic CooperationAPPA Asia Pacific Privacy Authorities [Forum]APSN Asian Privacy Scholars NetworkCBPRs [APEC] Cross Border Privacy Rules systemCPEA [APEC] Cross-border Privacy Enforcement NetworkCPTPP Comprehensive and Progressive Trans Pacific PartnershipDPS [APEC ECSG] Data Privacy SubgroupECSG [APEC] Electronic Commerce Steering GroupFive Eyes A shorthand for ‘AUS/CAN/NZ/UK/US EYES ONLY’, an intelligence allianceGPEN Global Privacy Enforcement NetworkIAPP International Association of Privacy ProfessionalsICDPPC International Conference of Data Protection and Privacy CommissionersISO International Organisation for StandardisationIWGDPT International Working Group on Data Protection in TelecommunicationsOECD Organisation of Economic Cooperation and DevelopmentOPC Office of the Privacy CommissionerSOI Statement of IntentSPDE [OECD Working Party on] Security and Privacy in the Digital EconomyT-PD Council of Europe Data Protection Convention Consultative Committee

1 January 2018